[gatein-issues] [JBoss JIRA] Resolved: (GTNPORTAL-996) GateIn+JOSSO integration: Problems with logout

Sohil Shah (JIRA) jira-events at lists.jboss.org
Fri Apr 16 02:57:25 EDT 2010 

     [ https://jira.jboss.org/jira/browse/GTNPORTAL-996?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sohil Shah resolved GTNPORTAL-996.
----------------------------------

    Resolution: Done


CAS is fixed.

Note: CAS logout screen does not support an auto redirect back. Instead it provides a parameterized link on the logout screen. The user has to click on that link to get back
to their original web app. (they frown upon this practice, but this looks like the middle ground).

This is not a CAS bug. Its by design. They argue that when you Logout you should really close out your browser for security reasons. Because if you logout of one site, it does not necessarily mean you are logged out from other sites. So someone can go into browser history and gain access to your account on other sites that are part of the SSO network.
 

> GateIn+JOSSO integration: Problems with logout
> ----------------------------------------------
>
>                 Key: GTNPORTAL-996
>                 URL: https://jira.jboss.org/jira/browse/GTNPORTAL-996
>             Project: GateIn Portal
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>    Affects Versions: 3.0.0-GA
>         Environment: GateIn-3.0.0-GA+JBoss 5.1 bundle (port 8080 for HTTP),
> JOSSO-1.8.1+Tomcat 6.0.18 bundle (port 8888 for HTTP),
>            Reporter: Marek Posolda
>            Assignee: Sohil Shah
>
> After integrating GateIn portal with JOSSO, I did these steps:
> - Click to "Sign in" in GateIn 
> - Login as root in JOSSO console 
> - Logout in GateIn
> - Click to "Sign in" link again. Now I am directly authenticated to GateIn which is not correct to me because now I am not able to login as different user in this web session. 
> Problem is that JOSSO cookie is not cleared from browser when doing logout from GateIn. I am able to login as different user after clearing the cookie directly from web browser via browser cookie manager. 

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the gatein-issues mailing list